IPSec VPN tunnel is up between remote VPN router and corp HQ. Windows machine is directly connected to the internal side of the router, but no default gateway is set.

I can SSH into the router and ping the windows box, but cannot ping the windows box directly.

Is there a way to set the gateway FROM the router since that's the only way I can communicate to it? The alternative is flying to the remote site and setting the gateway. Ouch.

Any help would be appreciated. I have tried a few things without success (for example, enable NAT on the router to do translation; does NOT work because the order NAT is applied versus the VPN tunnel).

Hacks are welcome as long as the remote site is recoverable afterward!

"Live as though you would die tomorrow, learn as though you would live forever."

So you're trying to remotely set the gateway of the Windows box but since it doesn't have a gateway, you can only get to it from the router which is on the same local network, right? Just want to be sure.

Are there any other windows boxes on that network that DO have a gateway set? What type of router are you dealing with? You can PM me if you don't want to broadcast it

No worries, consider this to be a generic remote office setup. Windows XP box sitting behind a Cisco router, running the most up to date Cisco IOS 15.X. Users use the system locally as a standalone box. VPN is for remote training, troubleshooting, administration, updates, etc. In this case the installer forgot to set that one little setting.....default gw.

You are correct in your understanding, so you know what my problem is. No gateway = no routing. One way traffic is fine, but the responses never come back. I can get to the server from the router itself, as you say.

"Live as though you would die tomorrow, learn as though you would live forever."

Is the remote box running ssh or telnet? Otherwise you're looking at using port forwarding on the Cisco with an ACL. This assumes you've got services even running on that box. If you have SMB running for example, you could use psexec or if the box isnt patched you could use an exploit to get a shell on it.

If you use port forwarding, and you're opening up 445 to it, make sure your ACL is tight, you dont want that thing on the Internet.

*****

Ugh just realized that PAT wont work if that box has no default gateway. hmmm. Let me think.

Last edited by cd1zz on Mon Oct 10, 2011 7:08 pm, edited 1 time in total.

Yeah but you'd still need a bind shell listening on that problem XP box. Is there any human being sitting at this PC? If so, I'd just send a bind shell on a usb drive, or better yet, a netsh command in a batch file and have them open it or setup an autorun script (assuming they dont have that patched).

If you can get a bind shell on that box you could use that IOScat to interface with the PC.

As you can probably tell, it really irks me that such a simple thing is getting in my way. I keep telling myself there MUST BE A WAY. It's just networking. I have Cisco IOS, I have admin credentials for the box at the other end, just no way to get a TCP connection because return traffic is being dropped.

"Live as though you would die tomorrow, learn as though you would live forever."